“Security” is everywhere—it’s mentioned in ransomware attacks and celebrity photo hacks, massive password leaks, petty laptop thefts, bitcoin mining, and other headlines we frequently see.
But what does it mean for your company, and the Macs you manage? The answer is far from black and white. Securing Macs—or endpoints in general—has many shades of gray and there isn't a one-size-fits-all approach. And while securing Macs is just one component of effectively managing them, it’s by far the most critical.
In the first of our two-part series on Mac security, we’ll discuss questions we commonly get from customers: what Mac security actually is, and the most popular methods of securing your fleet.
Mac security: the basics
When we talk about Mac or endpoint security, it usually refers to the set of practices that keep your Macs (and the valuable company data on them) safe from cyberattacks. These practices refer to the digital or information component of Mac security.
Contrary to popular belief, Macs DO get malware, and can be compromised—most often through unpatched or out of date OS software. Just like Windows machines, Macs are susceptible to ransomware. They’re also prone to common types of malware—McAfee reported that Mac malware grew 744% last year alone.
What about the physical component of Mac security? Anytime a computer leaves your office, or simply sits in your office unattended, it is exposed to physical security risk.
Suppose an engineer leaves a company laptop at a conference, or a laptop is stolen from your office overnight. If the thief or attacker gains access to the laptop and it’s not encrypted, it’s time to sound the alarms. They could delete company data, push destructive source code, steal customer data and IP, and more.
Fortunately, there are tried-and-true methods you can use to dramatically decrease your likelihood of a security breach, and give yourself some much needed peace of mind.
Methods of securing your fleet
Managing your Mac fleet is the first step in securing it—you’ll be able to proactively enforce best practices and provide immediate incident response. Here are the three most popular methods of managing and securing your Macs, and what to consider when selecting what works for your company and within your workflows:
1. The manual, DIY approach
The manual, DIY approach involves manually adding and enforcing security policies on your employees’ computers. A typical workflow includes walking around to each employee’s laptop to check for disk encryption status, install anti-malware software, and download the latest versions of software. This method ensures that you can directly manage your computers, and is the most hands-on approach to securing them.
However, once the computers are no longer in front of you, there is no guarantee that the policies you added will remain enforced. You’ll also need to physically (and regularly!) check each employee’s computer for software updates. Each employee’s FileVault recovery key needs to be securely maintained to ensure you don’t get locked out of your computers.
2. Open-source options
There are plenty of great open-source options that help secure your fleet. The open-source community is also an incredibly valuable resource for finding peers and seeking advice on computer management. Commonly used open-source tools include Munki, Chef, and Puppet. (Fleetsmith also supports Chef and Puppet!)
Open-source options do require time and expertise to set up. You’ll want to make sure that you can write your own Profiles, and remember to update them each time Apple changes a spec. We recommend reaching out to the Mac Admins community if you have questions on the process—chances are someone else has had them too. (We also recommend this great post by Erik Gomez of Pinterest, on why he chose to manage his Macs with Chef.)
3. Commercial tools
The third approach is using a commercial product to secure your Macs. There are tons of commercial options on the market, so it’s important to carefully review each vendor’s approach to security, as well as the fleet security features they offer.
Pay particular attention to the way a vendor implements security protections for sensitive information in transit (across the network or internet) and at rest (in the database). The gold standard is to encrypt all sensitive data both in transit and at rest, but most vendors don’t do this. Table stakes security features include: key escrow, Gatekeeper management, Firewall management, and authentication and screen lock management.
Now that you’re caught up on Mac security and the different options for managing and securing your fleet, stay tuned for the next post in our security series. We’ll cover the most important things you can do right now to protect your fleet, and how Fleetsmith can help.